Hello.
We have a problem on FortiOS 5.6.3 with LDAP admin accounts. When the admin tries to login into the firewall the login is accepted but a password change is requested:
This Account is using the default password, it is strongly recommended that you change your password.
Does anyone to know why it is happening?
AtiT
Solved! Go to Solution.
Ahaaa .. wildcard admin which has no backup password .. got it !
That's actually a bug 0294898 in 5.6.3 which is supposed to be fixed in 5.6.4 and 6.0.0
And the workaround is simple:
config system admin
edit "LDAPadmins"
unset wildcard
set password someWeryRandomAndStrongPaSsword
set wildcard enable
end
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Hi,
I thought it's obvious from the message and your logon, but ...
It happens simply because you are using default admin with default "blank" password which is really not a great idea for the firewall.
Anybody who can find out IP/FQDN of your firewall and can access through the port (allowaccess, trusted hosts) is then able to login as Admin and change whatever he/she wants.
As Fortinet decided that this is really bad practice to leave the super admin account unprotected, then that's why you get warning/reminder each logon you do without password set.
Best regards,
Tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Hello,
Thanks for the update.
But it is not the case. The account has a regular password, not blank.
We have a customer with the same problem and I was able to replicate the issue in the lab.
AtiT
Hi,
I did quick retest and was not able to reproduce the issue.
Once I have used the button to change the password for default "admin" account I have no more warnings.
My setup is as bellow:
- Version: FortiGate-VM64 v5.6.3,build1547,171204 (GA)
config user ldap edit "LDAP_ALFA" set server "10.109.19.88" set cnid "cn" set dn "dc=alfa,dc=xsilver,dc=org" set type regular set username "administrator@alfa.xsilver.org" set password ENC Y2fC2kVGd0h...cut... next end
config user group edit "remote-admins" set member "LDAP_ALFA" next end
config system admin edit "admin" set accprofile "super_admin" set vdom "root" set password ENC SH2ImCGhgpKr330gEBA/Lh62cWD7MhkCkcFva0Nz8sSnJ+zyHxP76cppL3RZQc= next edit "test" set remote-auth enable set accprofile "super_admin" set vdom "root" set remote-group "remote-admins" set password ENC SH2qR4eenfT6qoqMt+bD3ic53i6tj7R31IeEh8bb6XJrCR44rtBM9tHju4Zo9A= next end
What is your config ?
kind regards,
Tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Hello,
This is my config:
# get sys status | grep build Version: FortiGate-80D v5.6.3,build1547,171204 (GA)
config user ldap edit "LAB" set server "192.168.221.10" set secondary-server "192.168.222.10" set cnid "sAMAccountName" set dn "ou=lab,dc=lab,dc=gts,dc=cz" set type regular set username "administrator@lab.gts.cz" set password ENC 3gXQSQKut2Tn5dPpXZjx9cMoUJNyNFOuJvgEYwAWvmpIQ6Dlfs1J+IVi1obbsO6LoburGJMcveexLBBqXUB5HdUHr71ldKXxSWR0MEsugzJZQpzFFNVK5hUSENaShXmWyn6sEuxTvpG4Lqo8P+lgfmnUkFYGh9aQdMIcu3W/SujGP4Em2z/RENXttVW6WuOjq28NwQ== set secure ldaps set ca-cert "CA_Cert_3" set port 636 set password-expiry-warning enable set password-renewal enable next end
config user group edit "fwadminsldap" set member "LAB" config match edit 1 set server-name "LAB" set group-name "CN=fwadminsldap,OU=Users,OU=LAB,DC=lab,DC=gts,DC=cz" next end next end
config system admin edit "LDAPadmins" set remote-auth enable set accprofile "super_admin" set vdom "root" set wildcard enable set remote-group "fwadminsldap" next end
I can see that in your admin config the wildcard option is missing. It means that the admin "test" with the password stored in LDAP will be authenticated. This is not our case. (But it not worked for me either - the login was successful but the FGT showed me the login page again.)
The authd and fnband debug shows this:
[2127] handle_req-Rcvd auth req 825730477 for fwadmin in fwadminsldap opt=00014001 prot=10 [355] __compose_group_list_from_req-Group 'fwadminsldap' [605] fnbamd_pop3_start-fwadmin [340] radius_start-Didn't find radius servers (0) [701] auth_tac_plus_start-Didn't find tac_plus servers (0) [871] resolve_ldap_FQDN-Resolved address 192.168.221.10, result 192.168.221.10 [871] resolve_ldap_FQDN-Resolved address 192.168.222.10, result 192.168.222.10 [1147] build_search_base-search base is: ou=lab,dc=lab,dc=gts,dc=cz
[1267] fnbamd_ldap_init-search filter is: sAMAccountName=fwadmin
[492] create_auth_session-Total 1 server(s) to try [263] start_search_dn-base:'ou=lab,dc=lab,dc=gts,dc=cz' filter:sAMAccountName=fwadmin
[1653] fnbamd_ldap_get_result-Going to SEARCH state [2832] auth_ldap_result-Continue pending for req 825730477 [296] get_all_dn-Found DN 1:CN=fwadmin,OU=Users,OU=LAB,DC=lab,DC=gts,DC=cz
[310] get_all_dn-Found 1 DN's [344] start_next_dn_bind-Trying DN 1:CN=fwadmin,OU=Users,OU=LAB,DC=lab,DC=gts,DC=cz [1701] fnbamd_ldap_get_result-Going to USERBIND state [2832] auth_ldap_result-Continue pending for req 825730477 [570] start_user_attrs_lookup-Adding attr 'memberOf' [591] start_user_attrs_lookup-base:'CN=fwadmin,OU=Users,OU=LAB,DC=lab,DC=gts,DC=cz' filter:cn=*
[1757] fnbamd_ldap_get_result-Entering CHKUSERATTRS state [2832] auth_ldap_result-Continue pending for req 825730477 [793] get_member_of_groups-Get the memberOf groups. [828] get_member_of_groups- attr='memberOf', found 1 values [91] ldap_grp_list_add-added CN=fwadminsldap,OU=Users,OU=LAB,DC=lab,DC=gts,DC=cz [837] get_member_of_groups-val[0]='CN=fwadminsldap,OU=Users,OU=LAB,DC=lab,DC=gts,DC=cz' [626] start_primary_group_lookup-starting check... [630] start_primary_group_lookup-number of sub auths 5 [648] start_primary_group_lookup-base:'ou=lab,dc=lab,dc=gts,dc=cz' filter:(&(objectclass=group)(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\5b\93\7a\51\bb\78\68\5c\bf\c4\1a\88\01\02\00\00))
[1780] fnbamd_ldap_get_result-Entering CHKPRIMARYGRP state [2832] auth_ldap_result-Continue pending for req 825730477 [765] get_primary_groups- [1814] fnbamd_ldap_get_result-Auth accepted [1925] fnbamd_ldap_get_result-Going to DONE state res=0 [146] __ldap_copy_grp_list-copied CN=fwadminsldap,OU=Users,OU=LAB,DC=lab,DC=gts,DC=cz [2738] fnbamd_auth_poll_ldap-Result for ldap svr 192.168.221.10 is SUCCESS [2753] fnbamd_auth_poll_ldap-Passed group matching [943] find_matched_usr_grps-Group 'fwadminsldap' passed group matching [944] find_matched_usr_grps-Add matched group 'fwadminsldap'(12) [182] fnbamd_comm_send_result-Sending result 0 (error 0, nid 0) for req 825730477 [637] destroy_auth_session-delete session 825730477 [53] ldap_grp_list_del_all-Del CN=fwadminsldap,OU=Users,OU=LAB,DC=lab,DC=gts,DC=cz
====== here I tried to change the password - but no success ======= [2530] handle_req-Rcvd 8 req [928] fnbamd_cfg_get_radius_acct_servers-Error finding rad server LAB [365] fnbamd_acct_start_STOP-Error getting radius server [1345] create_acct_session-Error start acct type 8 [2544] handle_req-Error creating acct session 8
------ it seems to me that it tries to change the password via RADIUS server. Probably LDAP is not supported?
AtiT
Ahaaa .. wildcard admin which has no backup password .. got it !
That's actually a bug 0294898 in 5.6.3 which is supposed to be fixed in 5.6.4 and 6.0.0
And the workaround is simple:
config system admin
edit "LDAPadmins"
unset wildcard
set password someWeryRandomAndStrongPaSsword
set wildcard enable
end
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
This workaround fixed the issue. Thank you :)
AtiT
Tomas (xsilver),
That workaround is perfect.
Thank you so so much!
Cheers,
Elthon
Elthon Abreu FCNSA v5
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.